CVE-2008-4360 - Secunia Advisories - Vulnerability Information

CVE Reference: CVE-2008-4360
NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE: CVE-2008-4360

Description: mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.

CVE Status: Candidate

References: XF http://xforce.iss.net/xforce/xfdb/45689 SUSE http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html SAID Secunia Advisory: SA32132 Secunia Advisory: SA32069 Secunia Advisory: SA32834 Secunia Advisory: SA32972 Secunia Advisory: SA32480 MLIST http://openwall.com/lists/oss-security/2008/09/30/3 http://openwall.com/lists/oss-security/2008/09/30/2 http://openwall.com/lists/oss-security/2008/09/30/1 GENTOO http://security.gentoo.org/glsa/glsa-200812-04.xml DEBIAN http://www.debian.org/security/2008/dsa-1645 CONFIRM http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309 http://wiki.rpath.com/Advisories:rPSA-2008-0309 http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch http://trac.lighttpd.net/trac/ticket/1589 http://trac.lighttpd.net/trac/changeset/2283 http://trac.lighttpd.net/trac/changeset/2308 BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/497932/100/0/threaded BID 31600

Return to the previous page.